PCI Security Standards Council talks security awareness and training

Are your employees prepared to protect the cardholder data they process, store and transmit? With over 120 billion card payments — or $6.48 trillion dollars in transactions — processed yearly in the U.S. alone, it's easy to see why payment card fraud remains on hackers' holiday wish lists this season and beyond.

This episode of the Cyber Work podcast is a rebroadcast of a webinar featuring Elizabeth Terry, Community Engagement Manager at PCI Security Standards Council, and Lisa Plaggemier, Chief Evangelist at Infosec. In this podcast, you'll learn how to build, communicate and report engaging awareness program that complies with PCI DSS requirements.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

Megan Sawle: Hi everyone and welcome to today's webinar, "PCI Security Standards Council talks security awareness and training." My name is Megan Sawle and I'll be your moderator. Before we begin, I'd like to explain a few tips to make this webinar a more interactive and engaging experience. As listeners you're all on listen only mode. This means that you're muted, but you're more than welcome to ask questions at any time by typing them in using the control panel's question feature. We'll save some time at the end to have our panelists answer your questions. I'm joined today by two awareness and training experts, Elizabeth Terry and Lisa Plaggemeir. Elizabeth Terry has over 25 years experience in the payment card industry, including over 20 years managing enterprise projects encompassing PCI compliance, security, system design, implementation and replacement as well as standards develop initiatives at PCISSC. Her responsibilities for the Council have ranged from research and development of new standards to updates to existing standards to address market changes as well as working with other regulatory bodies, vendors, labs and academia. Elizabeth served as the chair for both the mobile working group and mobile task force as well as numerous special interest groups in her seven years at the Standards Group at PCI. In her current role as community engagement manager for the Council, her primary objective is to enhance the value of the PCI SSC programs for all participants. She's also responsible for collaborating with key stakeholders internally and externally to the PCI SSC, as well as being the contact for stakeholder relationship management. Miss Terry holds a masters in business administration and a bachelors in computer science and is a current PMP, CISSP, CBSA, PCIP and CDMA. Lisa Plaggemier is Chief Evangelist at Infosec, a leading security education provider. She has a track record of demystifying security to engage and empower employees to better protect their organizations. Lisa draws on her years of international marketing experience to advocate for security training and awareness programs that are fun and provocative. This approach helps cut through the clutter, engages learners and gets measurable results. Recognized as an influential voice in the security industry, Lisa has spoken at RSA, Gartner and other major events. Previously she was Director of Security Culture, Risk and Client Advocacy for CDK Global, her career started in marketing with Ford Motor Company in the US and EMEA. Lisa is a University of Michigan graduate and calls in Austin, Texas home. Thanks for joining me today Elizabeth and Lisa.

Elizabeth Terry: Thank you for having me.

Lisa Plaggemier: Yeah thanks Megan.

Elizabeth: So first, Yeah, first I would just like to give a little bit of background about the PCI Security Standards Council for those of you that don't know. PCI Security Standards Council was created in 2006 by the founding payment card brands, American Express, Discover Services, JCB International, MasterCard and Visa Inc. And we have more than 750 participating organizations around the world that represent merchants, banks, processors, vendors, et cetera. So the first thing that I would like to just spend a couple of moments is to talk about the mission statement. So our mission statement is to enhance global payment account data security by developing standards and supporting services that drive education awareness and effective implementation by card holders or stakeholders, excuse me. So we do this through our strategic framework, which is just simply our mission statement plus four strategic pillars which are increasing industry participation and knowledge, evolving security standards and validation and then securing emerging payment channels and then increasing standards alignment and consistency. So, just really quickly, this helps us to drive every decision that we make within the Council and every initiative that we undertake in making sure that we are developing new standards and programs and awareness and training around things that will bring value to the payments industry. So it also helps us to communicate to our stakeholders and define what it is we do, and what we don't do, as well as why. So a quick overview of the pillars as payments and technology continue to evolve and change, increasing our knowledge across that industry is what's gonna be really integral and then that helps our participants and stakeholders in the industry be able to integrate and implement our standards in the best way possible. So, this participates in a knowledge, we can involve the standards and programs, keeping them relevant and current for all of the stakeholders and meeting the needs of the industry. Well we also want to insure that any new payment channels that emerge are secure, so continuing to prioritize that consistency and industry alignment to reduce all the redundancy that you may have trying to comply with multiple different standards and regulation. It also helps to reduce friction for the stakeholders. So the thing to keep in mind is that the four pillars that I mentioned, not one is higher priority than the other. They all work together to help us fulfill that mission. Next slide please. So, one of the things that we wanted to bring up here is that the figures from a 2017 paper that was published by the Federal Reserve talks about the fact that there are 120 billion card payments, so that's quite a few. And $6.4 trillion in transactions with 6.4 billion in credit card fraud. So those numbers just kind of frame where we are with the state of payment security. And then one of the other things I wanted to mention is that a 2018 Treswave report stated that payment card data is the number one type of data that attackers are gonna seek out whenever they breach an organization. So, we also wanted to let you know that a 2017 Ponemon Institute report said that the chances of actually being hit by a data breach is as high as one in four. So you can see that in understanding security awareness and bringing everybody in line and making sure that folks understand this is really really important. So PCI DSS requirement 12.6 is a requirement that you must implement a formal security awareness program, making sure that all your employees understand and are aware of your security policies and card holder data security. There are two sub requirements to the, to the PCI DSS requirement. The first one is making sure that you educate your personnel when you hire them and then at least annually. And you wanna make sure, because if your personnel's not educated about their responsibilities and your security policies and those processes wind up not getting implemented, they may become ineffective through just error. Or they could even be ineffective through intentional action and then the other second piece of that is making sure that the personnel acknowledge at least annually, that they've read and understood that security policy and those procedures and that also helps you have metrics on who's going through this training, who's understanding the training and then that they've made that commitment to comply with those policies.

Lisa: So, we're gonna switch gears a little bit and talk about actually designing and running a training and awareness program. So I think when you're designing a program, there's some key things to think about. You've gotta figure out, you've gotta plan a program that's gonna fit with the goals of your business. So you need to know what those business goals and objectives are, so it could be driving revenue, driving market share, maybe it's grooming the company to get acquired or go public or growing a client base. And then you have to figure out how you align with those goals. So for instance if there's some M&A activity that's pending or something, or maybe you're grooming the company to actually go public, but then you might be able to put more of a shoulder behind your program because typically a lot of publicly traded companies have more, could have a more aggressive, more built out program, so that might give you some wind in our sails. So knowing what those business goals are and figuring out how you can align with them is really important. You might even find that some of the products or services in your company benefit from security as a selling point, so that can be an asset, and that's another good way to align with the business. The other thing is making sure that you're aligned with the organization's risk appetite. If you're in a heavily regulated industry you might have additional compliance requirements beyond PCI. And you might have a company culture then that has a lower appetite for risk. A really well-governed company will have their risk appetite actually defined and documented so you can align your program with whatever that documented risk appetite is. You've gotta obviously sit with the security strategy and goals of the organization. So maybe if the strategy from the CSO is to get more involved with the business and to be more involved upstream to help, to sort of have security designed in on products and services, then the goal of your program might be to drive engagement with the business. So how can you do that with your training and awareness program? How can you support the strategy and goals of the security organization? You might have a really well defined organizational culture or you might not. There might not be one at all. So, it could be well-established, it could be kind of ad hoc, you could be in a very good place where you have a positive company culture, people like working there, it's a place that has an easy time recruiting because it's thought of as being a great employer. Or you could actually have a negative corporate culture, organizational culture. And what I would say here is that you can't sort of rely or wait for HR or corporate communications or anybody else, whose seemingly responsibility it is to establish that culture. It's on us to establish a positive security culture in our organizations. And we may have to do that in spite of whatever roadblocks we get or hurdles we have as far as the overall company culture. So I think, this is where I like to say this where you need to say the serenity prayer, right? So, it's knowing what you can change and what you can't and what you can affect and what you can't. And I would say as security professionals it's up to use to set the security culture of the organization. So you might have something you can leverage as far as organizational culture goes, or you might have to establish it yourself. It also needs to fit with your current maturity and give you sort of a plan for the future. Starting off with something that's too aggressive isn't gonna, gonna maybe go over people's heads or not be a good fit. So just be honest about where you are and from maturity standpoint and start there and plan ahead. And then lastly it's resources, right? You gotta have the time and the money to run the program that you think should be running. And then the other things to think about when you're designing a program are knowing where your greatest assets, what your greatest assets are and where they are. It's probably a combination of things. It's data, intellectual property and people. So making sure you know what those things are, if you've done something like a MITRE Crown Jewel Analysis or you've done some of your homework for GDPR you probably have a handle on where your data is. Beyond PCI or SPI and PII, knowing where that is, how it's stored, how it's handled, all those good things. That should feed in to planning your program. And then who are your highest risk groups? Do you have people that handle that data? Do you have, for instance it could be folks that work in finance that do accounts payable. Any of those places where you might have figured out who your high risk groups are just from incidents that you've had, from if you're doing phishing, simulated phishing exercises, those can point you to high risk groups. And then, where do you think the biggest knowledge and skills gap are with your people? Like who seems to need the most help? And as we move to the next slide I can talk about how you can kinda figure out who those folks are. So, I think what's really helpful, you know I came from a marketing background, so in my world it would have been market research, but we can kinda do this same thing in our organizations, right? Figuring out sorta where we are, it's kinda the concept behind Kaizen or any kind of quality management process, improvement type stuff, until you have a current situation analysis, until you know where you stand, it's hard to plan and hard to move forward. So, what are the ways you can kinda figure out where am I today? You can give your employees a pre-test, a training pre-test, to get to understand what their level of security skills are. You might have audit results that point to issues in the company where you know you need to train to shore up those skills. You can look at IT ticket data, depending on the granularity there. You might be able to see how many machines have we re-imaged do to a malware infection? Other, you know, lost and stolen devices. You could be tracking who's lost their badges or their IDs, all those types of things. And then obviously looking at incidents as well. Does that show a lack of skills or a lack of understanding about lack of security expertise on the part of employees that's helped to create those or was the root cause of those incidents? And then again, looking at the risk register. That can give you some idea of where you need to do some skills training. But I think skills is just one piece of it. There's also this idea of sort of the knowledge and the attitudes that people have. And this goes a long way. Those attitudes go a long way in forming that security culture. So, a lot of practitioners have done this and found success doing employee surveys. So it could just be like a 15 or 20 question Survey Monkey that you're not looking for skills, it's not like do I know how to recognize that this is a phishing email or not? But more like do people feel positive or negative about interactions with the security department? We actually offer a survey that you can use. There's a couple of them floating around out there from people like me in social media that advocate for doing this kind of survey. So it might give them, questions might give you sort of a what if, what would you do if you, I don't know, saw credentials posted out on Confluence or something or just some what if scenarios. And then, when you're faced with a certain situation does it occur to you to engage the, maybe you have a new idea for a new product, at what point would you engage somebody from a security department to help you sort of design security into that product or what have you? Just trying to get at people's attitudes about all things security related and then their interactions with the security department. And then focus groups, you could do the same thing. If you feel like people won't talk openly about how they feel about working with the security team, meaning like, I think they're a department of no, and I don't get any value from working with them, they just get in my way and slow me down. Or do they have positive things to say? If you don't feel like they'll be honest about that, you can have somebody else hold the focus group and just record it. But it's another chance for you to tease out those attitudes about how getting to that real security culture. Interviews and personas, we'll talk about these a little bit later too, so that's the idea of sort of getting into the heads of some of the people that you're gonna try and train. So do I understand what makes them tick? And can I put engaging awareness material in front of them that, because I understand what their day looks like, what their pain points are, how busy they are, what their priorities are. And can I find messaging that resonates with them? And then stakeholders, obviously they're not neutral parties by definition, because they're stakeholders in your program. This might be people like legal or training and development, HR, corporate comms. So they might, having individual conversations with some of those people might be enlightening as well, and I think that's another perspective on what your culture is like at the moment, your current culture. One word about stakeholders and committees. I know a lot of organizations use a committee to form and plan and organize and launch their program, or an advisory board. I'm more of a fan of, of us being security practitioners being, if we're accountable and we're responsible, then we also have to be empowered to run these programs. And I think if you're doing security awareness that actually gets people's attention and is effective, sometimes if you wanna do something from a communication standpoint is a little bit outside the norm or you're doing something, maybe you're using humor or you're using something dramatic or you're doing something a little bit different in the world of training and awareness, when you put that through the sausage machine that is many committees, a lot of times what comes out the other side is, runs the risk of being more watered down because so many people got involved and maybe have put their mark on it from their perspective. And so, I think, I think depending on your corporate culture, you have to do what's right for your corporate culture. Some companies it's better to be more iterative and to ask forgiveness instead of permission. Some places run everything through a committee or an advisory board and that's fine, but I can tell you from working at a technology company and running a program that if I'd have used an advisory board or some sort of committee, we would probably still be talking at a program about the program and probably still wouldn't have gotten it out the door. And I can say surety that it wouldn't have been as attention getting because it would have probably gotten a little bit watered down and it woulda looked a little more quote, unquote corporate. So, what I advocate for is a RACI matrix. So this means that you'd have different people in your organization that are responsible, accountable, consulted or informed. So responsible is the person who has to make it happen, right? They're the person that's assigned to do the work. Accountable is kind of the final decision, buck stops here person. Consulted is getting buy-in and trying to work together with people to get their consultative input. And then informed is just what it says, you're simply informed, this is an FYI. So if you look at the next slide, that's what the matrix might look like if you have different folks from for instance HR, corporate communications, what have you, involved in your program, and I would say that having sort of just enough project management and program management without slowing down, and without sorta taking a lean delivery approach and being a little more agile and iterative, you know, unlike a lot of things in IT and in security, we really can't break anything in training and awareness, right? You can always pilot messages, you can always test things, and you can always iterate your way to a really good program as opposed to, I think when we slow down and we feel like we have to have everything perfect before we get started, you know the bad guys are moving too fast for us to not move fast too. And so I think it's more important to be dynamic and to be more iterative and to get started than it is to wait till everybody's 100% on board with everything you're doing and every detail is absolutely perfect. And with that, I'll turn it back over to Elizabeth.

Elizabeth: Thank you. Okay, so segmenting your training audience. So this is one of the really important pieces once you've defined the program. Being able to understand who needs what type of training when it comes to security. So one of the biggest things is to go through the process of identifying all the different roles and responsibilities and you can do a risk assessment of those roles once you've figured that out. And this particular visual can be found in an information supplement that the Council published on our website back in 2014 on the best practice for implementing a security awareness program. And that document and all the documents on our website are free so you can download those. But it's a really great visual that shows you that as the risk level for each of the different roles increases, so should the depth of the security awareness training. And so, again with that increased risk you wanna increase the level of training that's needed. So just at the bottom you can see, for all personnel you're gonna have some general security awareness training that you want everyone to have. And then as you kind of go up in the risk, and the risk can be based on what data or information assets do these folks have access to, so that intermediate awareness is all of your management, those decision makers, some of those specialized roles, and then the super specialized roles would get a really in depth security awareness training and a super specialized role I like to pick on payment software developers. Because they need to be able to develop that software with security in mind from jump. So that security awareness training and could be secure coding practices, different types of things. It's gonna go up because they have direct access at some point to payment card data and potentially into your card holder data environment and that may be someone else, it may be an IT admin, or it may be someone who has access to the firewalls and the switches that protect and segment that card holder data environment from your corporate network. So, like I said, this is a really great visual. It is in that document if you wanna go download it. So, one of the next things we wanted to talk about is some topic recommendations. So you see a screenshot here of one of the appendices in that document and it's just a mapping of topics and materials and metrics based on the PCI DSS requirements themselves. There's 12 requirements, you can break it down into the actual sub-requirements and get a little more granular if you wanna do that, but this is a really great way to, if you are responsible for complying with PCI DSS as an organization this is a really great way to make sure that you're hitting all those roles and making sure that everyone is getting the right information. So, when we talk about all personnel, so there's kind of a minimum security awareness that you want to establish for all personnel and that's gonna be kind of the base of all of the training for a security awareness program. And within that, you know security awareness training, and in this document you can see this, but there's multiple different ways to push this information out. It doesn't have to be that computer based training that you get where you might be doing something else, answering emails, on a conference call and you're clicking through it, but it can also be formal training. So, for those roles that have a higher risk level, then maybe they get an actual instructor based training. It could be emails, it could be infographics, bulletins, posters, other types of things. It could be a full-on program to push this information out and to have that security awareness at the forefront of everybody's mind. And it needs to be again, as Lisa mentioned, it needs to in, congruent with the overall culture of the organization and what's gonna have the most impact. So in the document that I mentioned, the information supplement, it breaks down some of the content that you might have, based on the different topics and based on the different levels what you might take a look at. So, definitely go take a look at that document and pull that down and that'll give you a lot of really great information and again, it is just, it's best practices, but it's also something that you want to ensure that depending on once you've done that roles and responsibilities matrix and who is at a higher risk or you wanna make sure that you have the appropriate information there. And one of the things I picked on the payment software engineers and we just recently released out software security framework that will eventually replace our payment application data security standard. So that has a lot of really good information as well.

Lisa: So Elizabeth talked about those different roles and understanding the different audiences for your training. So one of the ways you can do that, you know, she mentioned role based training and maybe OWASP top 10 type training, secure coding, training for developers, things like that. So one of the ways you can kinda figure out who are those different groups in the company and how can I appeal? How can I put content in front of them that's actually gonna appeal to them and is relevant to them? This kinda borrows from the idea of marketing personas, it's one of the marketer's tools in their toolbox. And if you can interview people in different roles in your organization, like maybe it's software developers, maybe it's support associates, whoever it might be, and understand what you're attempting to do here is documenting what makes them tick. What does their day look like? What do they value? What motivates them? When they need information, where do they go for that information? What risks do they face? What are their priorities all day long? You might find, if you sit down and do, you can either do an interview, a persona interview, or you can shadow a person for a day and just see what their day looks like. I've heard of security folks doing this when they've had a rash of incidents from a particular department, that they get embedded with that business for a couple hours or a day and spend more time with the people in the roles so that they have a, you're not doing this so much to segment and target them, as you are for you to have a better understanding. Because if we don't put training and awareness material in front of people that they can relate to, then we miss our chance for them to actually learn something from it and that possibility that what we're all going for is that they're actually gonna alter their behavior. So you're trying to put content in front of these folks that's just more relevant to them and is less general. The idea is to get the right message to the right person at the right time. So, this is another way to look at it from a marketer's perspective. Having a frequency or a regular cadence of training, having short, more frequent engaging training is far more effective than, as Elizabeth mentioned, the sort of once a year long module that you might click through while you're on a conference call or while you're doing something else. I think everybody in the industry has rallied around that, that we all realize now that the data shows that doing shorter, more frequent training is just more effective. So at the top there you see measure. So that would be that market research that we talked about earlier, just being able to understand like what is the current culture? What is our current click rate on phish? How many malware infections are people getting every month? All those different points of data that we talked about, getting those all together and seeing what the current situation is. And then we have a particular series called WORKed, it's live action comedic series. And so we've made that picture on the top left is a picture of a campaign kit. So, you can download that campaign kit for free just to get an idea of what the cadence would look like, even if you're not a customer or don't use this particular series, this kind of explains the idea of doing what a marketer would call a layered or an integrated campaign. So after you kinda get that current situation analysis, those measurements, then you would tease. Sort of a coming soon. Tell people that there's training coming. Tell people what's gonna be happening. And then, getting things prepped, getting your materials together, whatever training and awareness material you're gonna use, and then launching that first week of the series. Maybe you conduct a phishing exercise during that time. And then kind of evaluating what's working and what's not. So if you've created content, like infographics or posters or what have you or articles in a company newsletter, what kind of content is attracting people? Where am I getting the most clicks? Where am I getting the most eyeballs? How many people have taken their training? Is there some training they like better than others? I've seen practitioners test different types of training modules with different groups. Some people might like something comedic, some people might want a more traditional CBT that's a more straightforward educational approach. So figuring out what works and for whom. And then doing that over and over again over time with different pieces of content. So it might be a different video, a different CBT, different themes, different behaviors that you're trying to influence. So, you'll also notice here that this is really more about engagement and what's working and less about compliance and what percent of people took my training. So, I am a firm believer in kind of running two parallel programs. As soon as you tell people that they have to do something, it automatically becomes less engaging. That's just human nature. Especially if you launch something that's humorous. If you tell me I have to watch it, I'm automatically like less entertained because I was told I had to do something. And especially if you nag me and chase me and send me emails every couple weeks telling me I have to go watch something funny. It's just getting less and less funny the more I drag my feet. So, I, in my program when I was a practitioner ran a compliance based program which was the bare minimum that I needed to do according to what I was trying to be compliant with. And so we made that very easy on ourselves, it was very straightforward, we got very clean reporting. Because that's really all the auditor wants to see is that report of how many people took the training. Everything else we did, funny videos and game shows and you know, all the other stuff, live hacks and all the other things we did as an organization, was all voluntary. And that relies on you to be engaging. If it's voluntary then you're gonna know what's working and what's not, and you're gonna realize that you have to put material and content and relevant information in front of your audience that they're naturally drawn to because you've succeeded in getting their attention. So, it definitely means that there's a little more work to do in that way. But there's so much good material out there from vendors across the board today that it's, of course I'm really partial to ours obviously, but there's even as far as secure coding training. When I did secure coding training with folks four or five years ago I mean there were very few options to choose from, and today there's a lot more engaging, relevant short content out there. You don't have to kill them with hours and hours of training. So then how do you present the results of all this to your leadership? So what do they really need to know, and why should they care that you're even running a program? So I always lead with the why does this matter? Even if you've given them that explanation in the past, maybe you're presenting outside security organization to other executive leadership. They don't live and breathe this security stuff everyday, and so they probably need a reminder on why this even matters. So always start your presentation with why they should care. And then providing both qualitative and quantitative information, so, if you look at data around risk, to be able to say well we determined that these are our biggest risks, or this is what the risk register said, or these are the data points that we gathered and determined that these were our biggest risks. And so this is what our culture looks like, our existing corporate culture or security culture. And then, here's how I've affected those, right? What are the results that would show that we're addressing our biggest risks and that even though we have a move fast and break things kinda culture, this is how we've been able to get people to slow down just enough, or how security has fueled innovation rather than holding it back. Most executives will have a pretty good handle on what the culture of the company is, so if you can show how you're aligning with that, that'll be a good thing. And then in addition to providing data being able to tell people a story, whether it's a quote out of a focus group or it's a quote from an employee about an incident that they were a part of somehow or that affected them somehow or that they reported. I had a quote that I used from, we did some fun penetration testing with badging in the morning. We had an improv actor we used at the front door with a cup of coffee and a cell phone and to see who would let him in. And one person actually said, "I'm not security, "it's not my job." So of course, that made a really effective quote on a slide to talk about what the existing culture was and how we were trying to affect that. So I think it's really important to have quantitative and qualitative measures for your program.

Elizabeth: Exactly, and then one of the other things that we have in the information supplement is some ideas for measuring that success. And so from a security perspective or payment security perspective, one of the things could be that it is, you have an increase in the reports of attempted email or phone scams. You know the social engineering, like you said, the actor at the door. That's a social engineering attack. Those happen a lot more than people actually realize. And so if you can get an increase in the number of attempted email or phone scams or trying to piggyback through the door in the morning, then that gives you better recognition by the personnel of those phishing and social engineering attacks. Maybe it's less down time in infected machines. So you've got better controls and fewer malware infections and there's, you can get metrics both operationally and for you're training program overall. But this is gonna be based on each organization and again, the examples given in the table that's on page 11 of the information supplement are just ideas to get you started. You're gonna, depending on what you come up with and what type of organization you are, you may have very different metrics and what those effectiveness indicators might be. So one of the things that I wanted to draw your attention to, Lisa had mentioned that there's a lot of really great information that's out there and the PCI Council is no exception to that. We have what we call our small merchant materials. And one of the things that I've found really beneficial about those small merchant materials is that they are multipurpose, not only for those small merchants, because it is in very simplistic language. Unfortunately in the payments industry we use a lot of acronyms and a lot of really kind of technical words that your small mom and pop don't understand, but the small merchants materials, we have a lot of really great information out there. As you can see on the screen malware, phishing, remote access, weak passwords, outdated software, skimming, not only do we have really short informational videos, but we also have infographics that are available that are free of charge, you can download and you could use those in your own security awareness program. You could give them around to all the different departments within your organization to help draw attention to these types of ideas around payment security and IT security in general. And again, it's very simplistic language so for your general security awareness training that might be a really great add. And then as far as PCI is concerned, if you want to stay informed around any of the things that we have going on you can subscribe to our PCI Perspectives Blog, or to our press release RSS feed and be up to date on all the different things. We're constantly posting information on the blog around not only our standards, but around any of the infographics that we have, any trainings that we may have coming up and we also send out weekly, our PCI PO monitor. So if you are a participating organization or work for a participating organization, you can reach out to us and be able to receive that and that keeps you up to date as well. We are on social media so you could follow us on Twitter at PCISSC or on LinkedIn at the same. And then if you're interested in any additional training that we might have available, which includes our PCI awareness training, so get a little more knowledge as far as it is concerned related to PCI in general. You can go to the programs link there to gather additional information.

Megan: All right, well, thank you so much Lisa and Elizabeth. Now I'd like to go ahead and take a few questions from the audience. If you haven't had time to submit any questions yet you can still do so. The first one we have in, this is one for you, for certain Elizabeth, and if you can't answer it now, that's okay, we can follow-up with Jim after. Jim's question is as P2PE is a new device rating, can you explain the difference in P2PE certified versus VS certified? Elizabeth is this something in your sort of area of expertise, or should we follow-up with Jim after the webinar?

Elizabeth: Well, I can give some general information. So P2PE stands for point to point encryption and that is a standard that the PCI Security Standards Council, I think it was a couple of years ago, we're about to come out with version three, so we're on version two right now. And point to point encryption simply means that if you're using a point to point encryption solution that is listed on our website that means that from the point of interaction, from the time the person dips or swipes their card, everything is encrypted all the way back to the payment processing entity. And what that does is give you a reduction in the PCI DSS scope. As long as you are using again, a point to point encryption solution that is listed on our website you can get reduction in that PCI DSS scope. So, as far as the other piece of the question, I wasn't really clear on that, and I'd be happy to follow-up after. Hopefully that did answer some of your question and if not just let us know.

Megan: Okay, great, thank you. Another question came in related to sort of who has to comply with PCI DSS standards? So Elizabeth, are all companies required to meet these standards? Or is it just organizations of certain sizes or in particular industries?

Elizabeth: Well, generally speaking any organization that stores, processes or transmits payment card data is required to comply with PCI DSS. However, the caveat to that is depending on whether or not as far as size and different types, depending on whether or not the payment card brands for those cards that you accept require you to comply. So you would need to reach out to that payment card brand just to make sure. And we do have an FAQ on our website if you need that contact information to search for that on our website under the FAQ database and all the contact information is there for you to be able to reach out.

Megan: Thank you so much. I think this is a perfect question for Lisa. Lisa, this person works in a highly regulated industry and so PCI DSS standards is just one of the many types of compliance training they have to offer. So any recommendations for this person around making compliance related training a little bit more engaging for employees or sort of balancing, right, all the needs for compliance training versus just your ongoing awareness and training?

Lisa: Yeah, I would say it's just really really hard to, you know when you say the word compliance, that implies that people have to comply. Just that, there's just a negative connotation there. So, maybe calling it annual training or even wrapping, putting different nomenclature on it could serve to sort of brand it a little bit differently. I would say to do, and I don't mean this flippantly, but to really do the minimum, right? To meet the compliance obligation and that's it, and then everything else you do, even if you send out like a five minute thing every month, something that's more edutainment, right? Something that's more entertaining or more role based, more specific to their job, I would keep the compliance piece as, if you look at it from the employee's perspective, and you're heavily regulated, you've got multiple, probably multiple modules of compliance training that you have to do to meet each regulation. Chances are you've also got annual policy acknowledgement. Look at the load on your average employee. How much time are we actually asking of them to do all this stuff, and do we think that they're gonna go into with a mindset of actually wanting to learn and change their behavior about something in particular? Probably not. So I would see the compliance training, whether you lump it all together or you spread it out over the year, whatever you do that kinda lessens the load on employees as much as it possibly can. Make sure you coordinate with policy acknowledgement and all those other things, those mandatory things that employees have to deal with. Coordinate those and just try to minimize that load on employees and recognize that doing that activity doesn't necessarily make, being compliant doesn't make you secure. And if you're trying to change the culture, you're probably not gonna get there through the compliance training. So see those activities as something different. And something engaging and a chance to really win hearts and minds as opposed to, okay, I've got my report ready for the auditor because I met my compliance responsibilities.

Megan: Okay thank you--

Lisa: I hope that helps.

Megan: Yeah, definitely. One last one for you Lisa. This person's third party vendor network is pretty large and the majority of those vendors are smaller organizations, so do you recommend that companies consider extending awareness and training and things around PCI DSS to those third party vendor employees? Any recommendations on how they might do that or if that's a good idea?

Lisa: Yeah, so I did that in my previous life. And we actually talked about that on a webinar. We did a supply chain webinar not too long ago with the NCSA and a woman from the supply chain CSO, from a large organization. Anyway, that's out there, that's probably recorded if somebody wants to look at it, but we talked exactly about that, right? About going upstream and downstream in your supply chain, and trying to leverage your program as much as possible. So we actually, in my previous life, we actually extended some training modules, some free training modules to our customers. Because we felt like, they were a lot of small and medium size businesses, they didn't have the resources or the people or the time to put together a program of their own. And so we wanted to make it as easy for them as we possibly could and we decided the best place to start was with a couple of free training modules. So I'm a big fan of doing that. I mean, it's an overused phrase, but we are only as strong as our weakest link, and so as much as you can go upstream to your third party vendors and downstream to companies for whom you're a vendor or your customers, I'm a big fan of that. And talk to the vendors that you use today for you're training and awareness and you might find that they'll be willing to partner with you to do that.

Megan: Great, well, thank you so much Lisa. That was our final question aside from one more. If you are interested in receiving a completion certificate, if you need to submit for CPEs please feel free to email me, Megan, at the info@ email that's on your screen right now. That's just info@infosecinstitute.com. So again thank you so much everyone for joining us today. Thank you Elizabeth and Lisa for taking the time to share your thoughts around PCI DSS compliance.

Lisa: Thank you, and I'd add that if anybody wants to reach out to me, I love to talk to people about their programs and helping them strategize. And the best way to find me is probably on LinkedIn. I'm on instant messaging all the time. So don't be shy.

Elizabeth: Exactly and I would echo that as well. One other quick note, I mentioned an FAQ, it's FAQ1142 for the payment brand contact information there and as Lisa said, I'd be happy to chat with anyone, I am also on LinkedIn, it's a good way to reach me as well.

Megan: All right, thank you so much, everyone enjoy the rest of your day.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.